We are planning an initiative to look into the capability of SonarCloud for our SAST and software security initiatives.
Our CI/CD pipeline will be using: CircleCi
Software languages: Java, JavaScript, Angular, Kotlin
In reference to capability of SonarCloud, does it provide a feature to scan for API keys, tokens?
For the on-premises SonarQube, there is the following SonarQube plugin which can leveraged for this feature: GitHub - Skyscanner/sonar-secrets: SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc..
Are you allowed to add your own regex patterns? I don’t think this is as extensive as other tools for scanning for secrets. for example cloud provider keys (like azure or google etc) for service accounts should be found
Thanks for reaching out. We have in our 2021 roadmap the plan to provide a feature to find secrets and not only hard-coded credentials. Normally you should get out of the box the detection of most common secrets without the pain to provide custom regular expressions.
Apart from secrets/keys/tokens from the main cloud providers, which others would you like us to detect as a top priority?